fix(eio): prevent WebTransport connections when a middleware is registered

Author: darrachequesne

packages/engine.io/lib/server.ts

@@ -529,6 +529,15 @@ export abstract class BaseServer extends EventEmitter {
   }
 
   public async onWebTransportSession(session: any) {
+    if (this.middlewares.length > 0) {
+      // middlewares expect an IncomingMessage argument, which cannot be created from the WebTransport session object
+      // see also: https://github.com/fails-components/webtransport/issues/448
+      debug(
+        "closing session since WebTransport is not compatible with middlewares",
+      );
+      return session.close();
+    }
+
     const timeout = setTimeout(() => {
       debug(
         "the client failed to establish a bidirectional stream in the given period",

packages/engine.io/test/webtransport.mjs

@@ -392,6 +392,32 @@ describe("WebTransport", () => {
     );
   });
 
+  it("should refuse the connection when a middleware is registered", (done) => {
+    setupServer({}, async ({ engine, h3Server, certificate }) => {
+      engine.use((req, res, next) => next());
+
+      engine.on("connection", () => {
+        done(new Error("should not happen"));
+      });
+
+      const client = new WebTransport(
+        `https://127.0.0.1:${h3Server.port}/engine.io/`,
+        {
+          serverCertificateHashes: [
+            {
+              algorithm: "sha-256",
+              value: certificate.hash,
+            },
+          ],
+        },
+      );
+
+      await client.closed;
+
+      success(engine, h3Server, done);
+    });
+  });
+
   it("should send ping/pong packets", (done) => {
     setup(
       {